Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Multiple Threat Actors Moving Quickly to Exploit PHP Flaw
Easily Exploited Vulnerability Becomes Major Target for Malware Campaigns, BotnetsMultiple threat actors began exploiting a critical vulnerability in PHP scripting language within a day of its public disclosure last month, according to security firm Akamai. Administrators are advised to patch immediately.
See Also: 2024 Report: Mapping Cyber Risks from the Outside
Within days of the disclosure, the Akamai Security Intelligence Response Team spotted several malware campaigns taking advantage of the PHP vulnerability, tracked as CVE-2024-4577. The speed of the campaigns reflects the ease of exploitation, researchers said.
The flaw affects PHP installations running in CGI mode, particularly on Windows systems that use Chinese and Japanese language locale identifiers.
To exploit PHP, attackers use php://input
to embed code into the body of a request to inject malicious code. They typically use the PHP auto_prepend_file
and allow_url_include
options to ensure their code is executed first and can retrieve data from remote locations.
Akamai identified these active malware campaigns:
- Gh0st RAT Malware: This open-source remote access tool, which has been in use for over 15 years, was observed targeting this PHP flaw within 24 hours of disclosure. A malicious payload captured in the wild showed the malware enumerates connected drives and peripherals and queries the registry. The malware communicated with a command-and-control server based in Germany.
- RedTail Cryptominer: This campaign involved a shell script downloading a miner file using
wget
orcurl
. The script targeted directories with read, write and execute permissions, excluding certain directories such as/tmp
and/proc
. The payload, once downloaded and executed, was renamed.redtail
. This script, likely a result of threat actors reusing generic scripts, was effective. - Muhstik Malware: This campaign downloads a version of Muhstik malware, targeting internet of things devices and Linux servers for cryptomining and DDoS purposes. The malware created several directories and communicated with a command-and-control domain previously associated with Muhstik campaigns.
- XMRig Cryptominer: The fourth campaign exploited the vulnerability to execute a PowerShell command, downloading and executing a script to spin up XMRig from a remote mining pool. The malware then cleaned up the temporary files to obfuscate the activity.
Akamai researchers recommend organizations act quickly to assess vulnerabilities and apply patches immediately.